On 20 December 2019, the ICO fined a London pharmacy £275,000, due to a number of serious breaches of the GDPR. This is the first GDPR fine that the ICO has issued. Previous 'intentions to fine' have been announced by the ICO, for example in relation to the security breach by British Airways, however a final decision has not yet been reached in those cases.
The pharmacy, Doorstep Dispensaree Ltd, left around 500,000 documents in unlocked containers at the back of its premises. The documents contained information on names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. The ICO asked the pharmacy to provide certain information in the course of the investigation, including its privacy notice and data retention policy or guidance. The ICO also issued the pharmacy with an enforcement notice due to the significance of the contraventions, meaning that the pharmacy had to make changes to its data protection compliance within three months.
The pharmacy was dealing with health data relating to vulnerable adults in care homes and the ICO considered this when determining what enforcement action was appropriate. Even for organisations that don't handle such sensitive information, it is worth noting that the ICO asked to see evidence of a data retention policy and a privacy notice during the investigation. The key lesson remains that GDPR compliance is an ongoing task, not a one-off fix.